1. Field of Invention
The present invention relates generally to the field of computer network management, and more particularly, to systems, methods, and software ax products for identifying network applications for processing packet data.
2. Background of the Invention
Conventional network applications in computer networks running over common layer 3 (network layer) protocols use static port mappings. A port mapping defines the specific port or socket number that network traffic for a specific network application is routed to, or sent from. These port mappings are available from the Internet Assigned Numbers Authority (IANA) in order to differentiate between applications. These application-port mappings are published and are well defined, and typically used to deliver network traffic to the appropriate applications.
When ports are defined statically in relationship to applications, it is possible for a network monitor, or similar product, to reliably identify traffic by looking at a single packet and checking its port number against the IANA (or similar) list. These static mappings are thus relied upon by network management software products to determine the protocols and applications being used for network traffic, and therefore compile information about traffic patterns, demand, latency, and other performance characteristics.
However, a number of network protocols allow for the use of dynamic application-port mappings. These protocols allow a packet to be sent from or directed to any available port, not only the statically defined ports. As a result, reliance on the static application-port mappings cannot guarantee accurate decoding and use of packets, or accurate analysis of network traffic.
For example, FIG. 1 illustrates the TCP header for a packet carrying HTTP traffic. The HTTP protocol (defined in RFC 1945) generally uses the port 80 when running over TCP (defined in RFC 793). Traffic for the HTTP protocol is thus identified by examining the source or destination ports in the TCP header for the value "80". This value identifies the packet as being a TCP packet for the HTTP protocol.
However, the URL specification for HTTP (defined in RFC 1738) allows a dynamic port to be added to the end of a URL request. For example, a URL for HTTP may have the form "http://www.company.com:8080", where the value "8080" identifies the port number to be used. FIG. 2 illustrates the TCP header in this case. With a port of 8080 it is not possible using conventional network management tools to identify this as HTTP traffic, since the standard port is not being used.
This problem has existed at least since the introduction of the HTTP protocol in 1991. This problem also occurs with other protocols, such as FTP, and NNTP, and for any of the many IP protocols. Indeed, dynamic ports are frequently used, for example to provide for security or for improved resource sharing. Accordingly, there is a need to be able to handle dynamic mappings for network traffic.
Several approaches have been attempted to solve this problem. Some existing solutions require that network management software be manually configured to add the mapping of the new port (e.g. 8080 or whatever other port number is used) to the application protocol HTTP (or other protocol). This requires the user of network management software to know in advance the ports being used, in order to configure the mapping. This is not a satisfactory solution since it is generally not possible to know the mappings ahead of time. In addition, the mappings can change at any time. Thus, preconfiguring the network management software with a fixed set of mapping means that software does not have great flexibility to deal with new mappings. In addition, the software will not be able to identify many packets which do not comply with its preconfigured mappings.
Other schemes require instrumentation of the application using the protocol to determine the port mappings it is using, or the interception of common protocol interfaces, such as in Microsoft Corp.'s WinSock, to attempt to determine the mapping required. Neither of these methods provide a non-intrusive or configuration-free method of identifying application traffic from a raw stream of data on a computer network.
Accordingly, it is desirable to provide a system, method and software product that can dynamically map application and port relationships and thereby correctly identify applications, protocols and other network data from packet data.